Page 1 of 1

htaccess securing ftp upload folder

Posted: Wed May 11, 2005 8:55 pm
by The Monkey
Hello there,

I'm running into an interesting security issue, and I feel like I may be trying to shoot myself in the foot.

I want users to have ftp access to their own private folder, using an ftp client (i.e., web-based client won't work because external programs have to be able to upload xml files.)

Of course, all they would need would be a php file including the config file and dumping the database to ruin pretty much everything. So my question is, while I can't do anything about what filetypes are uploaded through whichever ftp program of their choice is, if I deny from all (via .htaccess) all files which don't match a regex (jpg, jpeg, gif, xml), there would be no way for them to execute the potentially harmful (php, mainly) files, correct?

- Monkey

Posted: Thu May 12, 2005 1:59 am
by AGISB
regex check for extensions will be a security flaw. As malicious code could be in a jpg file as well.

Posted: Thu May 12, 2005 11:52 am
by Skara
Indeed. Don't forget extensions don't truly exist in *nix.
If you allow people to upload things, plan on getting screwed eventually.

[offtopic]
O.o You're from my state! ^_^